Risky Business #830 -- LiteLLM and security scanner supply chains compromised

On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They talk through:

• TeamPCP’s supply chain attack on Github, and they threw in an anti-Iran wiper, because why not?!
• Anthropic hooks up its models to just… use your whole computer
• After Stryker’s Very Bad Day, CISA says maybe add some more controls around your Intune?
• Another iOS exploit kit shows up in the cyber bargain-bin
• The FTC decides to ban… all new home routers?! U wot m8?!
• Supermicro founder was personally sanction-busting Nvidia GPUs into China?!

This week’s episode is sponsored by enterprise browser maker, Island. Chief Customer Officer Bradon Rogers joins Pat to explain how its customers are using Island to control the use of personal AI services in regulated industries.

This episode is also available on Youtube.

Show notes

• ‘CanisterWorm’ Springs Wiper Attack Targeting Iran
• TeamPCP deploys CanisterWorm on NPM following Trivy compromise
• Andrej Karpathy on X: "Software horror: litellm PyPI supply chain" attack
• Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags
• Felix Rieseberg on X: "Today, we’re releasing a feature that allows Claude to control your computer"
• A Top Google Search Result for Claude Plugins Was Planted by Hackers
• Lockheed Martin targeted in alleged breach by pro-Iran hacktivist
• CISA urges companies to secure Microsoft Intune systems after hackers mass-wipe Stryker devices
• FBI seems to seize website tied to Iranian cyberattack on Stryker
• Stryker confirms cyberattack is contained and restoration underway
• Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild
• Someone has publicly leaked an exploit kit that can hack millions of iPhones
• Russia-linked hackers use advanced iPhone exploit to target Ukrainians
• Apple rolls out first 'background security' update for iPhones, iPads, and Macs to fix Safari bug
• Post by @wartranslated.bsky.social — Bluesky
• Signal’s Creator Is Helping Encrypt Meta AI
• Hacker says they compromised millions of confidential police tips held by US company
• Millions of 'anonymous' crime tips exposed in massive Crime Stoppers hack
• Feds Disrupt IoT Botnets Behind Huge DDoS Attacks
• FCC bans import of consumer-grade routers amid national security concerns
• White House pours cold water on cyber ‘letters of marque’ speculation
• Google launches threat disruption unit, stops short of calling it ‘offensive'
• Supermicro’s cofounder was just arrested for allegedly smuggling $2.5 billion in GPUs to China
• Cyberattack on vehicle breathalyzer company leaves drivers stranded across the US
• Man pleads guilty to $8 million AI-generated music scheme
• Two Israelis AI generated "intelligence" and sold it to Iran